CyberSecurity Practice

Without question, we are seeing security become top of mind for leadership. Many organizations are becoming fearful of the almost certain prospect, that they will become victims of a data breach and/or ransom-ware in the near future. More than ever, firms need to take an offensive position and actively secure their organizations–the first step is knowledge.

Here is a primer for developing and managing a Cyber Security & Consumer Privacy process to help you and your firm become more secure. This is a straight-forward process, we use at Ascension, to help companies achieve high levels of security compliance.

The initial, and perhaps most critical step is to determine your company’s current security posture. A structured and reliable assessment should always involve reviewing current policy, procedures, technical environments and other security related functions that are standards based. Ascension employs a proprietary toolset using a wide spectrum of generally accepted practices. We align and match numerous general accepted standards, such as ISO/IEC 27001, NIST 800-53, ISA 62443, COBIT 5, CIS CSC, CCPA, GDPR, PCI DSS and other standards into a concise assessment tool to simplify the assessment process and reporting. By having a structured assessment, you and your team will be able to scope security tasks necessary to achieve compliance.

After an assessment is developed, a reporting system should be implemented to assist leadership and other interested parties in understanding security issues & gaps as well as current status regarding any on-going remediation efforts.

With the assessment in place, and a reporting system communicating and tracking progress. Top management should develop a reasonable and effective strategy for closing all security gaps.

The next step is to manage and remediate all issues by working with the internal teams, third-parties and leadership to achieve compliance.

Over time, continuously managing and improving all elements of security, will ultimately guide your company to a higher, consistent and repeatable security posture.

The ultimate goal is to achieve full compliance and provide continuous reporting to ensure on-going compliance.

Finally, your security process should include, at a minimum, the following operational and security domains of knowledge:

Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Supply Chain Risk Management: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”

Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Awareness and Training: The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

Data Security & Privacy: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.